Homemade Browser Targeting Banco do Brasil Users

Cybercriminals in Brazil appear to have come up with a new tactic to lure users into giving up their login information. A few days ago, we found a post on a Brazilian forum offering a browser that could access the website of the Banco do Brasil without using the needed security plugin.

Figure 1. Homemade browser ad

Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)

The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):

Figure 2. Strings used to spoof the User-Agent header

It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.

Figure 3. The homemade browser accessing the mobile Banco de Brasil site

This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.

One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.